2019-06-03 07:44:50 +02:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2015-10-22 08:32:18 +01:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2015 - ARM Ltd
|
|
|
|
|
* Author: Marc Zyngier <marc.zyngier@arm.com>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/linkage.h>
|
|
|
|
|
|
2019-06-18 16:17:37 +01:00
|
|
|
#include <asm/alternative.h>
|
2015-10-22 08:32:18 +01:00
|
|
|
#include <asm/assembler.h>
|
|
|
|
|
#include <asm/fpsimdmacros.h>
|
|
|
|
|
#include <asm/kvm.h>
|
|
|
|
|
#include <asm/kvm_arm.h>
|
|
|
|
|
#include <asm/kvm_asm.h>
|
|
|
|
|
#include <asm/kvm_mmu.h>
|
2021-06-21 12:17:13 +01:00
|
|
|
#include <asm/kvm_mte.h>
|
KVM: arm/arm64: Context-switch ptrauth registers
When pointer authentication is supported, a guest may wish to use it.
This patch adds the necessary KVM infrastructure for this to work, with
a semi-lazy context switch of the pointer auth state.
Pointer authentication feature is only enabled when VHE is built
in the kernel and present in the CPU implementation so only VHE code
paths are modified.
When we schedule a vcpu, we disable guest usage of pointer
authentication instructions and accesses to the keys. While these are
disabled, we avoid context-switching the keys. When we trap the guest
trying to use pointer authentication functionality, we change to eagerly
context-switching the keys, and enable the feature. The next time the
vcpu is scheduled out/in, we start again. However the host key save is
optimized and implemented inside ptrauth instruction/register access
trap.
Pointer authentication consists of address authentication and generic
authentication, and CPUs in a system might have varied support for
either. Where support for either feature is not uniform, it is hidden
from guests via ID register emulation, as a result of the cpufeature
framework in the host.
Unfortunately, address authentication and generic authentication cannot
be trapped separately, as the architecture provides a single EL2 trap
covering both. If we wish to expose one without the other, we cannot
prevent a (badly-written) guest from intermittently using a feature
which is not uniformly supported (when scheduled on a physical CPU which
supports the relevant feature). Hence, this patch expects both type of
authentication to be present in a cpu.
This switch of key is done from guest enter/exit assembly as preparation
for the upcoming in-kernel pointer authentication support. Hence, these
key switching routines are not implemented in C code as they may cause
pointer authentication key signing error in some situations.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
[Only VHE, key switch in full assembly, vcpu_has_ptrauth checks
, save host key in ptrauth exception trap]
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Cc: Christoffer Dall <christoffer.dall@arm.com>
Cc: kvmarm@lists.cs.columbia.edu
[maz: various fixups]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2019-04-23 10:12:35 +05:30
|
|
|
#include <asm/kvm_ptrauth.h>
|
2015-10-22 08:32:18 +01:00
|
|
|
|
|
|
|
|
.text
|
|
|
|
|
|
|
|
|
|
/*
|
2020-09-15 11:46:32 +01:00
|
|
|
* u64 __guest_enter(struct kvm_vcpu *vcpu);
|
2015-10-22 08:32:18 +01:00
|
|
|
*/
|
2020-01-20 12:47:06 +00:00
|
|
|
SYM_FUNC_START(__guest_enter)
|
2015-10-22 08:32:18 +01:00
|
|
|
// x0: vcpu
|
2020-09-15 11:46:32 +01:00
|
|
|
// x1-x17: clobbered by macros
|
2019-12-06 14:13:39 -08:00
|
|
|
// x29: guest context
|
2015-10-22 08:32:18 +01:00
|
|
|
|
2020-09-30 14:05:35 +01:00
|
|
|
adr_this_cpu x1, kvm_hyp_ctxt, x2
|
2020-09-15 11:46:32 +01:00
|
|
|
|
2020-09-15 11:46:33 +01:00
|
|
|
// Store the hyp regs
|
2015-10-22 08:32:18 +01:00
|
|
|
save_callee_saved_regs x1
|
|
|
|
|
|
2020-09-15 11:46:33 +01:00
|
|
|
// Save hyp's sp_el0
|
2020-04-24 14:24:34 +01:00
|
|
|
save_sp_el0 x1, x2
|
|
|
|
|
|
2020-09-15 11:46:33 +01:00
|
|
|
// Now the hyp state is stored if we have a pending RAS SError it must
|
|
|
|
|
// affect the host or hyp. If any asynchronous exception is pending we
|
|
|
|
|
// defer the guest entry. The DSB isn't necessary before v8.2 as any
|
|
|
|
|
// SError would be fatal.
|
2019-06-18 16:17:37 +01:00
|
|
|
alternative_if ARM64_HAS_RAS_EXTN
|
|
|
|
|
dsb nshst
|
|
|
|
|
isb
|
|
|
|
|
alternative_else_nop_endif
|
|
|
|
|
mrs x1, isr_el1
|
|
|
|
|
cbz x1, 1f
|
KVM: arm64: Eagerly switch ZCR_EL{1,2}
In non-protected KVM modes, while the guest FPSIMD/SVE/SME state is live on the
CPU, the host's active SVE VL may differ from the guest's maximum SVE VL:
* For VHE hosts, when a VM uses NV, ZCR_EL2 contains a value constrained
by the guest hypervisor, which may be less than or equal to that
guest's maximum VL.
Note: in this case the value of ZCR_EL1 is immaterial due to E2H.
* For nVHE/hVHE hosts, ZCR_EL1 contains a value written by the guest,
which may be less than or greater than the guest's maximum VL.
Note: in this case hyp code traps host SVE usage and lazily restores
ZCR_EL2 to the host's maximum VL, which may be greater than the
guest's maximum VL.
This can be the case between exiting a guest and kvm_arch_vcpu_put_fp().
If a softirq is taken during this period and the softirq handler tries
to use kernel-mode NEON, then the kernel will fail to save the guest's
FPSIMD/SVE state, and will pend a SIGKILL for the current thread.
This happens because kvm_arch_vcpu_ctxsync_fp() binds the guest's live
FPSIMD/SVE state with the guest's maximum SVE VL, and
fpsimd_save_user_state() verifies that the live SVE VL is as expected
before attempting to save the register state:
| if (WARN_ON(sve_get_vl() != vl)) {
| force_signal_inject(SIGKILL, SI_KERNEL, 0, 0);
| return;
| }
Fix this and make this a bit easier to reason about by always eagerly
switching ZCR_EL{1,2} at hyp during guest<->host transitions. With this
happening, there's no need to trap host SVE usage, and the nVHE/nVHE
__deactivate_cptr_traps() logic can be simplified to enable host access
to all present FPSIMD/SVE/SME features.
In protected nVHE/hVHE modes, the host's state is always saved/restored
by hyp, and the guest's state is saved prior to exit to the host, so
from the host's PoV the guest never has live FPSIMD/SVE/SME state, and
the host's ZCR_EL1 is never clobbered by hyp.
Fixes: 8c8010d69c132273 ("KVM: arm64: Save/restore SVE state for nVHE")
Fixes: 2e3cf82063a00ea0 ("KVM: arm64: nv: Ensure correct VL is loaded before saving SVE state")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20250210195226.1215254-9-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
2025-02-10 19:52:26 +00:00
|
|
|
|
|
|
|
|
// Ensure that __guest_enter() always provides a context
|
|
|
|
|
// synchronization event so that callers don't need ISBs for anything
|
|
|
|
|
// that would usually be synchonized by the ERET.
|
|
|
|
|
isb
|
2019-06-18 16:17:37 +01:00
|
|
|
mov x0, #ARM_EXCEPTION_IRQ
|
|
|
|
|
ret
|
|
|
|
|
|
|
|
|
|
1:
|
2020-09-15 11:46:34 +01:00
|
|
|
set_loaded_vcpu x0, x1, x2
|
|
|
|
|
|
2019-12-06 14:13:39 -08:00
|
|
|
add x29, x0, #VCPU_CONTEXT
|
2015-10-22 08:32:18 +01:00
|
|
|
|
2021-06-21 12:17:13 +01:00
|
|
|
// mte_switch_to_guest(g_ctxt, h_ctxt, tmp1)
|
|
|
|
|
mte_switch_to_guest x29, x1, x2
|
|
|
|
|
|
KVM: arm/arm64: Context-switch ptrauth registers
When pointer authentication is supported, a guest may wish to use it.
This patch adds the necessary KVM infrastructure for this to work, with
a semi-lazy context switch of the pointer auth state.
Pointer authentication feature is only enabled when VHE is built
in the kernel and present in the CPU implementation so only VHE code
paths are modified.
When we schedule a vcpu, we disable guest usage of pointer
authentication instructions and accesses to the keys. While these are
disabled, we avoid context-switching the keys. When we trap the guest
trying to use pointer authentication functionality, we change to eagerly
context-switching the keys, and enable the feature. The next time the
vcpu is scheduled out/in, we start again. However the host key save is
optimized and implemented inside ptrauth instruction/register access
trap.
Pointer authentication consists of address authentication and generic
authentication, and CPUs in a system might have varied support for
either. Where support for either feature is not uniform, it is hidden
from guests via ID register emulation, as a result of the cpufeature
framework in the host.
Unfortunately, address authentication and generic authentication cannot
be trapped separately, as the architecture provides a single EL2 trap
covering both. If we wish to expose one without the other, we cannot
prevent a (badly-written) guest from intermittently using a feature
which is not uniformly supported (when scheduled on a physical CPU which
supports the relevant feature). Hence, this patch expects both type of
authentication to be present in a cpu.
This switch of key is done from guest enter/exit assembly as preparation
for the upcoming in-kernel pointer authentication support. Hence, these
key switching routines are not implemented in C code as they may cause
pointer authentication key signing error in some situations.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
[Only VHE, key switch in full assembly, vcpu_has_ptrauth checks
, save host key in ptrauth exception trap]
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Cc: Christoffer Dall <christoffer.dall@arm.com>
Cc: kvmarm@lists.cs.columbia.edu
[maz: various fixups]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2019-04-23 10:12:35 +05:30
|
|
|
// Macro ptrauth_switch_to_guest format:
|
|
|
|
|
// ptrauth_switch_to_guest(guest cxt, tmp1, tmp2, tmp3)
|
|
|
|
|
// The below macro to restore guest keys is not implemented in C code
|
|
|
|
|
// as it may cause Pointer Authentication key signing mismatch errors
|
|
|
|
|
// when this feature is enabled for kernel code.
|
2019-12-06 14:13:39 -08:00
|
|
|
ptrauth_switch_to_guest x29, x0, x1, x2
|
KVM: arm/arm64: Context-switch ptrauth registers
When pointer authentication is supported, a guest may wish to use it.
This patch adds the necessary KVM infrastructure for this to work, with
a semi-lazy context switch of the pointer auth state.
Pointer authentication feature is only enabled when VHE is built
in the kernel and present in the CPU implementation so only VHE code
paths are modified.
When we schedule a vcpu, we disable guest usage of pointer
authentication instructions and accesses to the keys. While these are
disabled, we avoid context-switching the keys. When we trap the guest
trying to use pointer authentication functionality, we change to eagerly
context-switching the keys, and enable the feature. The next time the
vcpu is scheduled out/in, we start again. However the host key save is
optimized and implemented inside ptrauth instruction/register access
trap.
Pointer authentication consists of address authentication and generic
authentication, and CPUs in a system might have varied support for
either. Where support for either feature is not uniform, it is hidden
from guests via ID register emulation, as a result of the cpufeature
framework in the host.
Unfortunately, address authentication and generic authentication cannot
be trapped separately, as the architecture provides a single EL2 trap
covering both. If we wish to expose one without the other, we cannot
prevent a (badly-written) guest from intermittently using a feature
which is not uniformly supported (when scheduled on a physical CPU which
supports the relevant feature). Hence, this patch expects both type of
authentication to be present in a cpu.
This switch of key is done from guest enter/exit assembly as preparation
for the upcoming in-kernel pointer authentication support. Hence, these
key switching routines are not implemented in C code as they may cause
pointer authentication key signing error in some situations.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
[Only VHE, key switch in full assembly, vcpu_has_ptrauth checks
, save host key in ptrauth exception trap]
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Cc: Christoffer Dall <christoffer.dall@arm.com>
Cc: kvmarm@lists.cs.columbia.edu
[maz: various fixups]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2019-04-23 10:12:35 +05:30
|
|
|
|
2020-04-24 14:24:34 +01:00
|
|
|
// Restore the guest's sp_el0
|
|
|
|
|
restore_sp_el0 x29, x0
|
|
|
|
|
|
2016-08-30 21:08:32 -05:00
|
|
|
// Restore guest regs x0-x17
|
2019-12-06 14:13:39 -08:00
|
|
|
ldp x0, x1, [x29, #CPU_XREG_OFFSET(0)]
|
|
|
|
|
ldp x2, x3, [x29, #CPU_XREG_OFFSET(2)]
|
|
|
|
|
ldp x4, x5, [x29, #CPU_XREG_OFFSET(4)]
|
|
|
|
|
ldp x6, x7, [x29, #CPU_XREG_OFFSET(6)]
|
|
|
|
|
ldp x8, x9, [x29, #CPU_XREG_OFFSET(8)]
|
|
|
|
|
ldp x10, x11, [x29, #CPU_XREG_OFFSET(10)]
|
|
|
|
|
ldp x12, x13, [x29, #CPU_XREG_OFFSET(12)]
|
|
|
|
|
ldp x14, x15, [x29, #CPU_XREG_OFFSET(14)]
|
|
|
|
|
ldp x16, x17, [x29, #CPU_XREG_OFFSET(16)]
|
|
|
|
|
|
|
|
|
|
// Restore guest regs x18-x29, lr
|
|
|
|
|
restore_callee_saved_regs x29
|
2015-10-22 08:32:18 +01:00
|
|
|
|
|
|
|
|
// Do not touch any register after this!
|
|
|
|
|
eret
|
2018-06-14 11:23:38 +01:00
|
|
|
sb
|
2015-10-22 08:32:18 +01:00
|
|
|
|
2024-06-10 07:32:30 +01:00
|
|
|
SYM_INNER_LABEL(__guest_exit_restore_elr_and_panic, SYM_L_GLOBAL)
|
|
|
|
|
// x2-x29,lr: vcpu regs
|
|
|
|
|
// vcpu x0-x1 on the stack
|
|
|
|
|
|
|
|
|
|
adr_this_cpu x0, kvm_hyp_ctxt, x1
|
|
|
|
|
ldr x0, [x0, #CPU_ELR_EL2]
|
|
|
|
|
msr elr_el2, x0
|
|
|
|
|
|
2020-09-15 11:46:34 +01:00
|
|
|
SYM_INNER_LABEL(__guest_exit_panic, SYM_L_GLOBAL)
|
|
|
|
|
// x2-x29,lr: vcpu regs
|
|
|
|
|
// vcpu x0-x1 on the stack
|
|
|
|
|
|
|
|
|
|
// If the hyp context is loaded, go straight to hyp_panic
|
|
|
|
|
get_loaded_vcpu x0, x1
|
2021-03-05 12:21:24 -08:00
|
|
|
cbnz x0, 1f
|
|
|
|
|
b hyp_panic
|
2020-09-15 11:46:34 +01:00
|
|
|
|
2021-03-05 12:21:24 -08:00
|
|
|
1:
|
2020-09-15 11:46:34 +01:00
|
|
|
// The hyp context is saved so make sure it is restored to allow
|
|
|
|
|
// hyp_panic to run at hyp and, subsequently, panic to run in the host.
|
|
|
|
|
// This makes use of __guest_exit to avoid duplication but sets the
|
|
|
|
|
// return address to tail call into hyp_panic. As a side effect, the
|
|
|
|
|
// current state is saved to the guest context but it will only be
|
|
|
|
|
// accurate if the guest had been completely restored.
|
2020-09-30 14:05:35 +01:00
|
|
|
adr_this_cpu x0, kvm_hyp_ctxt, x1
|
2021-03-05 12:21:24 -08:00
|
|
|
adr_l x1, hyp_panic
|
2020-09-15 11:46:34 +01:00
|
|
|
str x1, [x0, #CPU_XREG_OFFSET(30)]
|
|
|
|
|
|
|
|
|
|
get_vcpu_ptr x1, x0
|
|
|
|
|
|
2020-01-20 12:47:06 +00:00
|
|
|
SYM_INNER_LABEL(__guest_exit, SYM_L_GLOBAL)
|
2016-08-30 21:08:32 -05:00
|
|
|
// x0: return code
|
|
|
|
|
// x1: vcpu
|
|
|
|
|
// x2-x29,lr: vcpu regs
|
|
|
|
|
// vcpu x0-x1 on the stack
|
|
|
|
|
|
|
|
|
|
add x1, x1, #VCPU_CONTEXT
|
|
|
|
|
|
2016-09-01 15:29:03 +01:00
|
|
|
ALTERNATIVE(nop, SET_PSTATE_PAN(1), ARM64_HAS_PAN, CONFIG_ARM64_PAN)
|
|
|
|
|
|
2016-08-30 21:08:32 -05:00
|
|
|
// Store the guest regs x2 and x3
|
|
|
|
|
stp x2, x3, [x1, #CPU_XREG_OFFSET(2)]
|
|
|
|
|
|
|
|
|
|
// Retrieve the guest regs x0-x1 from the stack
|
|
|
|
|
ldp x2, x3, [sp], #16 // x0, x1
|
|
|
|
|
|
2019-12-06 14:13:39 -08:00
|
|
|
// Store the guest regs x0-x1 and x4-x17
|
2016-08-30 21:08:32 -05:00
|
|
|
stp x2, x3, [x1, #CPU_XREG_OFFSET(0)]
|
|
|
|
|
stp x4, x5, [x1, #CPU_XREG_OFFSET(4)]
|
|
|
|
|
stp x6, x7, [x1, #CPU_XREG_OFFSET(6)]
|
|
|
|
|
stp x8, x9, [x1, #CPU_XREG_OFFSET(8)]
|
|
|
|
|
stp x10, x11, [x1, #CPU_XREG_OFFSET(10)]
|
|
|
|
|
stp x12, x13, [x1, #CPU_XREG_OFFSET(12)]
|
|
|
|
|
stp x14, x15, [x1, #CPU_XREG_OFFSET(14)]
|
|
|
|
|
stp x16, x17, [x1, #CPU_XREG_OFFSET(16)]
|
|
|
|
|
|
2019-12-06 14:13:39 -08:00
|
|
|
// Store the guest regs x18-x29, lr
|
2016-08-30 21:08:32 -05:00
|
|
|
save_callee_saved_regs x1
|
2015-10-22 08:32:18 +01:00
|
|
|
|
2020-04-24 14:24:34 +01:00
|
|
|
// Store the guest's sp_el0
|
|
|
|
|
save_sp_el0 x1, x2
|
|
|
|
|
|
2020-09-30 14:05:35 +01:00
|
|
|
adr_this_cpu x2, kvm_hyp_ctxt, x3
|
2015-10-22 08:32:18 +01:00
|
|
|
|
2020-09-15 11:46:33 +01:00
|
|
|
// Macro ptrauth_switch_to_hyp format:
|
|
|
|
|
// ptrauth_switch_to_hyp(guest cxt, host cxt, tmp1, tmp2, tmp3)
|
KVM: arm/arm64: Context-switch ptrauth registers
When pointer authentication is supported, a guest may wish to use it.
This patch adds the necessary KVM infrastructure for this to work, with
a semi-lazy context switch of the pointer auth state.
Pointer authentication feature is only enabled when VHE is built
in the kernel and present in the CPU implementation so only VHE code
paths are modified.
When we schedule a vcpu, we disable guest usage of pointer
authentication instructions and accesses to the keys. While these are
disabled, we avoid context-switching the keys. When we trap the guest
trying to use pointer authentication functionality, we change to eagerly
context-switching the keys, and enable the feature. The next time the
vcpu is scheduled out/in, we start again. However the host key save is
optimized and implemented inside ptrauth instruction/register access
trap.
Pointer authentication consists of address authentication and generic
authentication, and CPUs in a system might have varied support for
either. Where support for either feature is not uniform, it is hidden
from guests via ID register emulation, as a result of the cpufeature
framework in the host.
Unfortunately, address authentication and generic authentication cannot
be trapped separately, as the architecture provides a single EL2 trap
covering both. If we wish to expose one without the other, we cannot
prevent a (badly-written) guest from intermittently using a feature
which is not uniformly supported (when scheduled on a physical CPU which
supports the relevant feature). Hence, this patch expects both type of
authentication to be present in a cpu.
This switch of key is done from guest enter/exit assembly as preparation
for the upcoming in-kernel pointer authentication support. Hence, these
key switching routines are not implemented in C code as they may cause
pointer authentication key signing error in some situations.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
[Only VHE, key switch in full assembly, vcpu_has_ptrauth checks
, save host key in ptrauth exception trap]
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Cc: Christoffer Dall <christoffer.dall@arm.com>
Cc: kvmarm@lists.cs.columbia.edu
[maz: various fixups]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2019-04-23 10:12:35 +05:30
|
|
|
// The below macro to save/restore keys is not implemented in C code
|
|
|
|
|
// as it may cause Pointer Authentication key signing mismatch errors
|
|
|
|
|
// when this feature is enabled for kernel code.
|
2020-09-15 11:46:33 +01:00
|
|
|
ptrauth_switch_to_hyp x1, x2, x3, x4, x5
|
KVM: arm/arm64: Context-switch ptrauth registers
When pointer authentication is supported, a guest may wish to use it.
This patch adds the necessary KVM infrastructure for this to work, with
a semi-lazy context switch of the pointer auth state.
Pointer authentication feature is only enabled when VHE is built
in the kernel and present in the CPU implementation so only VHE code
paths are modified.
When we schedule a vcpu, we disable guest usage of pointer
authentication instructions and accesses to the keys. While these are
disabled, we avoid context-switching the keys. When we trap the guest
trying to use pointer authentication functionality, we change to eagerly
context-switching the keys, and enable the feature. The next time the
vcpu is scheduled out/in, we start again. However the host key save is
optimized and implemented inside ptrauth instruction/register access
trap.
Pointer authentication consists of address authentication and generic
authentication, and CPUs in a system might have varied support for
either. Where support for either feature is not uniform, it is hidden
from guests via ID register emulation, as a result of the cpufeature
framework in the host.
Unfortunately, address authentication and generic authentication cannot
be trapped separately, as the architecture provides a single EL2 trap
covering both. If we wish to expose one without the other, we cannot
prevent a (badly-written) guest from intermittently using a feature
which is not uniformly supported (when scheduled on a physical CPU which
supports the relevant feature). Hence, this patch expects both type of
authentication to be present in a cpu.
This switch of key is done from guest enter/exit assembly as preparation
for the upcoming in-kernel pointer authentication support. Hence, these
key switching routines are not implemented in C code as they may cause
pointer authentication key signing error in some situations.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
[Only VHE, key switch in full assembly, vcpu_has_ptrauth checks
, save host key in ptrauth exception trap]
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Cc: Christoffer Dall <christoffer.dall@arm.com>
Cc: kvmarm@lists.cs.columbia.edu
[maz: various fixups]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2019-04-23 10:12:35 +05:30
|
|
|
|
2021-06-21 12:17:13 +01:00
|
|
|
// mte_switch_to_hyp(g_ctxt, h_ctxt, reg1)
|
|
|
|
|
mte_switch_to_hyp x1, x2, x3
|
|
|
|
|
|
2020-09-15 11:46:33 +01:00
|
|
|
// Restore hyp's sp_el0
|
2020-04-24 14:24:34 +01:00
|
|
|
restore_sp_el0 x2, x3
|
|
|
|
|
|
2020-09-15 11:46:33 +01:00
|
|
|
// Now restore the hyp regs
|
2015-10-22 08:32:18 +01:00
|
|
|
restore_callee_saved_regs x2
|
|
|
|
|
|
2021-03-05 18:52:48 +00:00
|
|
|
set_loaded_vcpu xzr, x2, x3
|
2020-09-15 11:46:34 +01:00
|
|
|
|
KVM: arm64: Handle RAS SErrors from EL2 on guest exit
We expect to have firmware-first handling of RAS SErrors, with errors
notified via an APEI method. For systems without firmware-first, add
some minimal handling to KVM.
There are two ways KVM can take an SError due to a guest, either may be a
RAS error: we exit the guest due to an SError routed to EL2 by HCR_EL2.AMO,
or we take an SError from EL2 when we unmask PSTATE.A from __guest_exit.
The current SError from EL2 code unmasks SError and tries to fence any
pending SError into a single instruction window. It then leaves SError
unmasked.
With the v8.2 RAS Extensions we may take an SError for a 'corrected'
error, but KVM is only able to handle SError from EL2 if they occur
during this single instruction window...
The RAS Extensions give us a new instruction to synchronise and
consume SErrors. The RAS Extensions document (ARM DDI0587),
'2.4.1 ESB and Unrecoverable errors' describes ESB as synchronising
SError interrupts generated by 'instructions, translation table walks,
hardware updates to the translation tables, and instruction fetches on
the same PE'. This makes ESB equivalent to KVMs existing
'dsb, mrs-daifclr, isb' sequence.
Use the alternatives to synchronise and consume any SError using ESB
instead of unmasking and taking the SError. Set ARM_EXIT_WITH_SERROR_BIT
in the exit_code so that we can restart the vcpu if it turns out this
SError has no impact on the vcpu.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2018-01-15 19:39:05 +00:00
|
|
|
alternative_if ARM64_HAS_RAS_EXTN
|
|
|
|
|
// If we have the RAS extensions we can consume a pending error
|
2019-06-18 16:17:36 +01:00
|
|
|
// without an unmask-SError and isb. The ESB-instruction consumed any
|
|
|
|
|
// pending guest error when we took the exception from the guest.
|
KVM: arm64: Handle RAS SErrors from EL2 on guest exit
We expect to have firmware-first handling of RAS SErrors, with errors
notified via an APEI method. For systems without firmware-first, add
some minimal handling to KVM.
There are two ways KVM can take an SError due to a guest, either may be a
RAS error: we exit the guest due to an SError routed to EL2 by HCR_EL2.AMO,
or we take an SError from EL2 when we unmask PSTATE.A from __guest_exit.
The current SError from EL2 code unmasks SError and tries to fence any
pending SError into a single instruction window. It then leaves SError
unmasked.
With the v8.2 RAS Extensions we may take an SError for a 'corrected'
error, but KVM is only able to handle SError from EL2 if they occur
during this single instruction window...
The RAS Extensions give us a new instruction to synchronise and
consume SErrors. The RAS Extensions document (ARM DDI0587),
'2.4.1 ESB and Unrecoverable errors' describes ESB as synchronising
SError interrupts generated by 'instructions, translation table walks,
hardware updates to the translation tables, and instruction fetches on
the same PE'. This makes ESB equivalent to KVMs existing
'dsb, mrs-daifclr, isb' sequence.
Use the alternatives to synchronise and consume any SError using ESB
instead of unmasking and taking the SError. Set ARM_EXIT_WITH_SERROR_BIT
in the exit_code so that we can restart the vcpu if it turns out this
SError has no impact on the vcpu.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2018-01-15 19:39:05 +00:00
|
|
|
mrs_s x2, SYS_DISR_EL1
|
|
|
|
|
str x2, [x1, #(VCPU_FAULT_DISR - VCPU_CONTEXT)]
|
|
|
|
|
cbz x2, 1f
|
|
|
|
|
msr_s SYS_DISR_EL1, xzr
|
|
|
|
|
orr x0, x0, #(1<<ARM_EXIT_WITH_SERROR_BIT)
|
|
|
|
|
1: ret
|
|
|
|
|
alternative_else
|
2019-06-18 16:18:09 +01:00
|
|
|
dsb sy // Synchronize against in-flight ld/st
|
|
|
|
|
isb // Prevent an early read of side-effect free ISR
|
|
|
|
|
mrs x2, isr_el1
|
2022-12-27 17:05:05 +00:00
|
|
|
tbnz x2, #ISR_EL1_A_SHIFT, 2f
|
2019-06-18 16:18:09 +01:00
|
|
|
ret
|
|
|
|
|
nop
|
|
|
|
|
2:
|
|
|
|
|
alternative_endif
|
|
|
|
|
// We know we have a pending asynchronous abort, now is the
|
|
|
|
|
// time to flush it out. From your VAXorcist book, page 666:
|
2016-09-06 14:02:07 +01:00
|
|
|
// "Threaten me not, oh Evil one! For I speak with
|
|
|
|
|
// the power of DEC, and I command thee to show thyself!"
|
|
|
|
|
mrs x2, elr_el2
|
|
|
|
|
mrs x3, esr_el2
|
|
|
|
|
mrs x4, spsr_el2
|
|
|
|
|
mov x5, x0
|
|
|
|
|
|
|
|
|
|
msr daifclr, #4 // Unmask aborts
|
|
|
|
|
|
|
|
|
|
// This is our single instruction exception window. A pending
|
|
|
|
|
// SError is guaranteed to occur at the earliest when we unmask
|
|
|
|
|
// it, and at the latest just after the ISB.
|
|
|
|
|
abort_guest_exit_start:
|
|
|
|
|
|
|
|
|
|
isb
|
|
|
|
|
|
|
|
|
|
abort_guest_exit_end:
|
|
|
|
|
|
2019-06-18 16:18:08 +01:00
|
|
|
msr daifset, #4 // Mask aborts
|
2020-08-21 15:07:05 +01:00
|
|
|
ret
|
|
|
|
|
|
|
|
|
|
_kvm_extable abort_guest_exit_start, 9997f
|
|
|
|
|
_kvm_extable abort_guest_exit_end, 9997f
|
|
|
|
|
9997:
|
|
|
|
|
msr daifset, #4 // Mask aborts
|
|
|
|
|
mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT)
|
2019-06-18 16:18:08 +01:00
|
|
|
|
2020-08-21 15:07:05 +01:00
|
|
|
// restore the EL1 exception context so that we can report some
|
|
|
|
|
// information. Merge the exception code with the SError pending bit.
|
2016-09-06 14:02:07 +01:00
|
|
|
msr elr_el2, x2
|
|
|
|
|
msr esr_el2, x3
|
|
|
|
|
msr spsr_el2, x4
|
|
|
|
|
orr x0, x0, x5
|
|
|
|
|
1: ret
|
2020-01-20 12:47:06 +00:00
|
|
|
SYM_FUNC_END(__guest_enter)
|